Chapter 12. Authentication and Authorization
Something important arises at just about this point in your application design and creation. You have four, five, maybe more core pieces of functionality in place to add users, upload photos, and so on. You have a few tables set up in which to store data. You have most of your applicationâs central components built, and even though itâs still a simple application, you have a sense of where youâre going. And then, in the previous chapter, you added a new piece of functionality: the ability to delete users. It seems like just another feature; just another user requirement to tick off the list. But, wait a secondâ¦deleting users? Is that something that you want to offer to all of your users? Of course not. Thatâs an administrative feature. (You might even remember from Building a Simple Admin Page that an early candidate for the name of delete_user.php was admin.php.)
An administrator, of course, is someone who has the responsibilityâand more importantly, the capability (and authority)âto manage user accounts and take care of the application on an overarching level. Unfortunately, your application doesnât know that yet. As far as itâs concerned, thereâs no such thing as an administrator. Right now, anyone can hop over to delete_user.php and nuke poor Ryan Geyer, or Robert Powell, or whoever else has signed up through create_user.html, with nothing more than a confirmation box standing between them and digital oblivion. ...
Get PHP & MySQL: The Missing Manual, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.